SUSE-SU-2026:1524-1

Description

Security update 5.1.3 for Multi-Linux Manager Client Tools This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Internal changes to fix build issues with no impact for customers golang-github-prometheus-prometheus: - Security issues fixed: * CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893) + Bumped rollup to version 4.59.0 * CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841) + Bumped brace-expansion to version 5.0.2 * CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442) * CVE-2025-13465: Bumped lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329) * CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260267) + Bumped google.golang.org/grpc to version 1.79.3 grafana: - Security issues fixed: * CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) * CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337) * CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349) * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302) * CVE-2026-26958: Bumped filippo.io/edwards25519 to version 1.1.1 (bsc#1258595) * CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873) * CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873) * CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025) * CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026) * CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029) * CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027) * CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260263) * CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878) - Version update from 11.5.10 to 11.6.14+security01 with the following highlighted changes and fixes: * Public Dashboards: Wired the public dashboard service to the HTTP server to ensure proper connectivity and availability * Authentication: Refined the redirect logic to ensure consistent behavior during login and logout sequences * Dashboard Reliability: Resolved a bug preventing single panels from rendering correctly when dashboard variables are referenced * Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface * One-Click Actions: Visualizations now support faster navigation via one-click links and actions * Alerting History: Added version history for alert rules, allowing you to track changes over time * Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup * Cron Support: Annotations now support Cron syntax for more flexible scheduling * Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath * Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting * Alerting Limits: Added size limits for expanded notification templates to prevent system strain * RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field * Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries * Dashboard Reliability: + Fixed bugs involving row repeats and 'self-referencing' data links + Fixed a bug preventing single panels from rendering correctly when dashboard variables are referenced * Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly * URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly prometheus-blackbox_exporter: - Internal changes to fix build issues with no impact for customers spacecmd: - Version 5.1.13-0 * Update translation strings uyuni-tools: - Version 5.1.26-0 * Fixed applying PTF with images from RPMs (bsc#1252548) * Ssl Key file can miss if CA password is blank (bsc#1254154) * mgrpxy ssh tuning should happens before crypto policies (bsc#1254619) * Fixed default value for helm registry (bsc#1258927). * Remove hub register command * Optimize postgres migration disk space usage (bsc#1257447) * Added continuous database backup support (bsc#1250367) * Explicitly start proxy pods after operations (bsc#1258015) * Use static supportconfig name to avoid dynamic search (bsc#1257941) * Do not nest multiple tarball files and instead collect all files into one tarball (bsc#1252964) * Show where final tarball was generated (bsc#1259208) * Set proxy config file permissions (bsc#1257660) - Version 5.1.25-0 * If PTF image doesn't exists, use the current service image (bsc#1258418)

Affected Systems

• suse•golang-github-lusitaniae-apache_exporter&distro=SUSE Multi Linux Manager Tools SLE-15

  < 1.0.10-150002.3.6.1

• suse•golang-github-prometheus-prometheus&distro=SUSE Multi Linux Manager Tools SLE-15

  < 3.5.0-150002.3.8.1

• suse•grafana&distro=SUSE Multi Linux Manager Tools SLE-15

  < 11.6.14+security01-150002.4.14.1

• suse•prometheus-blackbox_exporter&distro=SUSE Multi Linux Manager Tools SLE-15

  < 0.26.0-150002.3.6.1

• suse•prometheus-blackbox_exporter&distro=SUSE Multi Linux Manager Tools SLE-Micro-5

  < 0.26.0-150002.3.6.1

• suse•spacecmd&distro=SUSE Multi Linux Manager Tools SLE-15

  < 5.1.13-150002.3.9.3

• suse•uyuni-tools&distro=SUSE Multi Linux Manager Tools SLE-15

  < 5.1.26-150002.3.12.1

• suse•uyuni-tools&distro=SUSE Multi Linux Manager Tools SLE-Micro-5

  < 5.1.26-150002.3.12.1

References (48)

• https://www.suse.com/support/update/announcement/2026/suse-su-20261524-1/
• https://bugzilla.suse.com/1245302
• https://bugzilla.suse.com/1250367
• https://bugzilla.suse.com/1252548
• https://bugzilla.suse.com/1252964
• https://bugzilla.suse.com/1254154
• https://bugzilla.suse.com/1254619
• https://bugzilla.suse.com/1257329
• https://bugzilla.suse.com/1257337
• https://bugzilla.suse.com/1257349
• https://bugzilla.suse.com/1257442
• https://bugzilla.suse.com/1257447
• https://bugzilla.suse.com/1257660
• https://bugzilla.suse.com/1257841
• https://bugzilla.suse.com/1257897
• https://bugzilla.suse.com/1257941
• https://bugzilla.suse.com/1258015
• https://bugzilla.suse.com/1258136
• https://bugzilla.suse.com/1258418
• https://bugzilla.suse.com/1258595
• https://bugzilla.suse.com/1258873
• https://bugzilla.suse.com/1258893
• https://bugzilla.suse.com/1258927
• https://bugzilla.suse.com/1259208
• https://bugzilla.suse.com/1260263
• https://bugzilla.suse.com/1260267
• https://bugzilla.suse.com/1260878
• https://bugzilla.suse.com/1261025
• https://bugzilla.suse.com/1261026
• https://bugzilla.suse.com/1261027
• https://bugzilla.suse.com/1261029
• https://www.suse.com/security/cve/CVE-2025-13465
• https://www.suse.com/security/cve/CVE-2025-3415
• https://www.suse.com/security/cve/CVE-2025-61140
• https://www.suse.com/security/cve/CVE-2026-1615
• https://www.suse.com/security/cve/CVE-2026-21720
• https://www.suse.com/security/cve/CVE-2026-21721
• https://www.suse.com/security/cve/CVE-2026-21722
• https://www.suse.com/security/cve/CVE-2026-21724
• https://www.suse.com/security/cve/CVE-2026-21725
• https://www.suse.com/security/cve/CVE-2026-25547
• https://www.suse.com/security/cve/CVE-2026-26958
• https://www.suse.com/security/cve/CVE-2026-27606
• https://www.suse.com/security/cve/CVE-2026-27876
• https://www.suse.com/security/cve/CVE-2026-27877
• https://www.suse.com/security/cve/CVE-2026-27879
• https://www.suse.com/security/cve/CVE-2026-28375
• https://www.suse.com/security/cve/CVE-2026-33186